Posted
How ThreatConnect stores, uses, and protects customer data
There has been a lot of recent news surrounding compromises in trust where companies purposefully or unintentionally misuse or allow others to misuse customer data. After my last post, in which I talked about the power of data and analytics, I thought it would a good time to describe ThreatConnect’s efforts around storing, using, and protecting our customers’ data.
Let me start by explaining the types of data that reside in the ThreatConnect Cloud and CAL™ (Collective Analytics Layer) and how that data is stored and used. I’m not going to speak to Dedicated Cloud or On-Premises, because those platform configurations are often customized based on organizational policies or regulatory requirements.
ThreatConnect Cloud consists of the Multi-Tenant ThreatConnect Cloud and CAL™. Users interact with the ThreatConnect Cloud through either direct logins or integrations with other technologies. ThreatConnect Cloud data is either stored in their own private account or organization, a community, or a source. Restrictions for sharing and usage are specific to the source they are stored within.
Where data resides | Data Owner | Data Users |
Individual Account | Individual | Only Individual |
Organization Account | Organization | All Users of an Organization |
Community | Community | Access granted by community administrators |
Data Source | Source Owner | Access granted by source administrators to source participants |
Data sharing to a community is up to the organization or user that owns the data. ThreatConnect acts as a member of some of the communities, and as such, has the same rights and privileges as all of its members.
For example, we may be a member of a particular industry community and the rules of the community could allow anyone to use the data under traffic light protocol (TLP): White guidelines. If a community administrator invited us to the community, and the data was marked TLP:WHITE, any vetted community member would possibly leverage the information in some aspect of their work. To reiterate, this means that ThreatConnect would only use said data by virtue of our membership to the community in accordance with the community usage guidelines.
ThreatConnect CAL collects anonymous data from all participating instances of ThreatConnect, including ThreatConnect Cloud. Through large data analysis, CAL provides insights and recommendations that are delivered back to any participating ThreatConnect instance – Cloud, Dedicated Cloud, and On-Premises. These insights can take many forms, including classification of indicators and indicator reputation. We’ve designed these insights to be a boost to in-platform analytics, such as ThreatAssess and Playbooks.
Users of Dedicated Cloud and On-Premises instances of the Platform can choose whether they want to leverage CAL or not. When turned off, both anonymous sharing with CAL and CAL insights are disabled. If you want to have the benefits of CAL, but keep some indicators private, you can also do that by marking indicators as private in your instance. The table below summarizes the data CAL collects from participants, and the value it derives from the data:
Customer Data Used by CAL | Value Provided |
IOC False Positive Vote (Count) | Provides count of False Positives across CAL-connected platforms and drives CAL recommendations for reputation and indicator status |
IOC Impressions (Count) | Provides count of page views, searches, and automated lookups and drives CAL recommendations for reputation and indicator status. |
IOC Observations (Count) | Provides count of reported observations of IOC across CAL connected platforms drives CAL recommendations for reputation and indicator status |
IOC Status (Active/Inactive) | Provides a holistic picture of which indicators users want to keep active or inactive in their instance, allowing CAL to recommend better indicator status and reduce time wasted on “junk” IOC’s for participants. |
To reiterate, all of the above information is captured and processed in an anonymized, aggregated fashion. After authentication, any identifying information about your instance is separated from the data and it is combined to provide our analytics an understanding of how to treat the data. To put another way, we don’t track or care about who submitted any of the above information, but rather how many participants submitted it.
Finally, ThreatConnect software instances may be connected to our user feedback platform in order for our product managers and customer success personnel to learn more about our customers’ usage. This is common among most software vendors, as the insights gleaned allow our company to improve our software experience and identify data-driven ways to help our users do their jobs better. Participation in this platform also enables us to deliver interactive guides in the application to help users hit the ground running. Dedicated Cloud and On-Premises software instances can turn off this feature if they want.
Your data, and privacy, is of the utmost importance to us. We have made, and continue to make, major investments to protect the data you entrust to us. Our Information Security Management System (ISMS) is built on the ISO 27001:2013 set of standards to ensure that we appropriately secure ThreatConnect. Also, we’ve researched GDPR extensively and are taking actions to assure compliance.
If you have any questions regarding our corporate security program or your data privacy please use the CONTACT US form and select “Security Program/Compliance” from the dropdown menu.